Getting started with Microsoft ISA Server 2006, Part III: Create Firewall Policy Rule
ISA, Security, Windows January 7th, 2008Firewall Policy
From part II, you have configured Network Topology. Now you need to create a policy rule to allow traffic pass through the ISA Server.
By default, ISA Server is configured with default rule which blocks all traffics pass through ISA Server. But you can customize rules to match your policy in organization. On each rule, you can customize to allow or deny access, protocols, source and destination addresses, users (ISA Server can integrated with Active Directory), time to use the rule, content types.
The series are divided into 5 parts:
- Getting started with Microsoft ISA Server 2006, Part I: Installation
- Getting started with Microsoft ISA Server 2006, Part II: Configure Network Topology
- Getting started with Microsoft ISA Server 2006, Part III: Create Firewall Policy Rule
- Getting started with Microsoft ISA Server 2006, Part IV: Configure Client Type
- Getting started with Microsoft ISA Server 2006, Part V: Configure HTTP Filter
Step-by-step
Next, I will create a new web access rule for all users in internal network to access internet(external network) with only HTTP (port 80) and HTTPS (port 443) protocols.
- Open ISA Server Management. Expand server name(in this example, BKKFRW001) -> Right click on Firewall Policy -> New -> Access Rule.
- New Access Rule Wizard appears, enter the name of access rule. Click Next.
- On Rule Action, select Allow. Click Next.
- On Protocols, click Add. Add Protocols window appears, expand Common protocols and select HTTP and HTTPS.
- On Access Rule Sources, click Add. Add Network Entities window appears, expand Networks and select Internal.
- On Access Rule Destinations, add External network.
- On User Sets, leave All Users. Click Next.
- Click Finish to complete create new rule.
- Again, don’t forget to apply your setting on ISA Server to take effect. Click Apply.
- Next part will be about client configuration to access to ISA Server.
Related post
- Getting started with Microsoft ISA Server 2006, Part 8: Create Web Access Rule This article is one of the series of Getting started with Microsoft ISA Server 2006. You can see the index...
- Getting started with Microsoft ISA Server 2006, Part 7: Create DNS Lookup Rule This article is one of the series of Getting started with Microsoft ISA Server 2006. You can see the index...
- Getting started with Microsoft ISA Server 2006, Part 6: Configure Network Layout This article is one of the series of Getting started with Microsoft ISA Server 2006. You can see the index...
Related posts:
July 29th, 2008 at 3:13 pm
Dear Linglom.com Team,
your web site is so nice and informatics that i never seen before it. Keep it up it really nice work you people have done.
thanks
Qazzafi,
System and Network Administrator,
Govt. of Punjab, Pakistan.
August 25th, 2008 at 11:44 am
Hi, You did a very nice guide for ISA Server.
May i ask you something?
I am new to use this ISA Server, running on ISA Server need to install or run any programs like SQL server or other software?
August 27th, 2008 at 3:27 pm
By default, ISA Server 2006 will automatically installed MSDE as a database system. You can change this configuration after installation.
Also, ISA Server 2006 must be installed on Windows Server 2003. For more information, see this reference: ISA Server 2006 System Requirements
If you’re new to ISA Server, you can try trial version at Internet Security and Acceleration (ISA) Server 2006 180-Day Trial Version
October 8th, 2008 at 4:55 pm
How can I configure ISA server via ssh cmd command line?
October 8th, 2008 at 4:56 pm
I’m only able to access the server via ssh right now that is why I’m asking
October 9th, 2008 at 4:46 am
Ambedo good question I think linglom is doing on a private network and people should take care when working on remote servers. Make sure to plan and setup this prior to put ISA on the server. Myself I used a vpn tunnel with rqs/rqc for remote install from a technet tutorial.
November 8th, 2008 at 7:58 pm
Dear Linglom;
Thanks for your useful info you are publshing and useful contribution.
I succeeded in installing the ISA server 2006 and to create a web access rule, and now internet is working fine for clients, note that client type I am using is Web proxy client. but when I came to outlook usage, I created POP3 and SMTP rules to allow, but still not working.
Then I changed my clinet type to firewall client and still not working,,so any one can help please?
also any way to use POP3 and SMTP on web proxy client without needs to firewall client?
regards;
November 9th, 2008 at 10:47 am
Hi, Waleedd
I think it depends on the mail server. Some use different protocols. For instance, Hotmail uses HTTP instaed of POP3 and SMTP. On Outlook, select Tools -> Accounts -> select Mail tab. You’ll see the existing list of mail accounts. Try double one and select the Servers tab, you’ll see what protocols it was configured to use.
Also, Outlook shares Internet Connection with Internet Explorer. So you don’t need to install firewall client if you have already configured proxy in the Internet Explorer.
November 10th, 2008 at 12:37 pm
Dear Linglom…
I’m new to the server configurations and your site is very useful to people like me.The screenshots with explanation is very much helpful.Thanks for the great site…Thanks a lot..
Ranjith.
November 10th, 2008 at 6:58 pm
Dear Linglom;
Thanks for your attention. I found it uses pop3 and SMTP. the strange thing is that the rule I create worked with outlook express and didn’t work with Microsoft office outlook ??!!! and also it worked when the firewall client existing, but when I removed it it didn’t work even for outlook express. further more it happened also for the messenger, that when I configured an allow rule for MSN messenger, it work only when the firewall client installed on the clients PC??? do you have any suggestions please?
Thanks for your help and support.
Waleedd;
November 10th, 2008 at 7:21 pm
To Waleedd,
You have to check that Microsoft office outlook has already configured to use the same protocols as outlook express or not. I never use it so you have to try by yourself.
About firewall client, have you re-configured the Internet Explorer proxy (web proxy client) after you uninstalled the firewall client? For MSN Messenger, you can troubleshoot it in Options -> Connection.
November 11th, 2008 at 1:04 am
Hi Linglom;
I am very appreciating your support and help;
I had found a solution for ISA and outlook probelm as a small setting you should allow in ISA management tool, below link is a forum @ isaserver.org describing the same problem and solution suggestions:
http://forums.isaserver.org/External_POP3_%26_SMTP/m_2002076137/tm.htm
and the below link is an article @ isaserver.org holds the solution for the problem:
http://www.isaserver.org/articles/2004olpop3smtp.html
Thanks again;
Waledd;
November 11th, 2008 at 6:44 am
We already have a firewall set up on our network – is it Possible to turn off the firewall on the isa server and just use it as a cash Proxy server. hat i am after is internet speed which I am getting but sometimes the isa is blocking web sights and is interupting classroom school time.
Thanks for your time
November 12th, 2008 at 9:09 pm
You can configure ISA Server as a proxy server by using Single Network Adapter Template. This template, ISA Server requires only a single network adapter and it may used for web proxy, caching, etc.
But I’ve never try this template. For more information about the template, see Configuring ISA Server 2004 on a Computer with a Single Network Adapter at TechNet – Microsoft.
December 24th, 2008 at 5:48 pm
You should add dns too cause clients otherwise can’t resolve to domain names. If not you can’t visit websites by name.
January 28th, 2009 at 4:25 pm
hi guys i have a problem now….i am able to connect to internet through isa, but only for 2 to 3 minutes internet is accessible, after that no internet access (even from isa) but interesting fact is that i can ping to google at that time from isa.
how can i solve this issue?
January 29th, 2009 at 9:07 am
Hi, Rockonn
What the display message when the Internet is not accessible? Also, check the ISA logging to see if the traffic is blocked or not.
February 24th, 2009 at 10:12 pm
Hi,
I have a problem like this ,we are using isa2006 as web proxy server and al are web proxy clients ,now ftp site are not loading or even through command prompt also we cant connect ftp servers.
please help me
sudhir
March 4th, 2009 at 8:56 am
Hi, Sudhir
Check rule that allow FTP protocol if it was configured correctly. Check ISA Server log to see if FTP traffic is blocked by ISA Server or not.
March 6th, 2009 at 9:26 pm
Hi,
Once again i am disturbing you,I am using Isa2006 as a webproxy server,and all users are connected as webproxy clints and all users are authenticated by Domain controller.I have created a rule allow all outbound traffic from internal to external with domain authenticated users.
And also for ftp and pop3 i have created two rules with all users
Now i can access ftp sites with anonymous access but the ftp sites which requires username and passowrd i cant access through webproxy client but works with firewall client.So pls help me
Thanks&Regards
Sudhir
May 23rd, 2009 at 6:33 pm
Hi i just wanted to find out ive got a ms server 2003 SP2 with isa server 2006 sp1 and i have a problem whenever i try to connect to a external pop3 or imap server like gmail from my internal network with outlook express or ms office outlook i get an error 0×800CCC0e connection to the server has failed i have allowed rules on isa server for pop3 and imap .In the isa server logging i can see the pop3 initiates on port 110 to the pop3 server and then directly after that it denies the pop3 server coming back to the internal network as unidentified traffic on a totaly different port sometimes the port differs from 50000 to say 52000 and pop3 works on the isa server machine just internal that it does not want to work any help would be apreciated
May 25th, 2009 at 10:04 pm
Hi, Sudhir
If you’re using web proxy, clients can’t upload to an FTP site. See the link below for more information and solution from Microsoft.
Troubleshooting Outbound FTP Access in ISA Server
May 25th, 2009 at 10:15 pm
Hi, Christo
Is this problem occur on gmail only?
It seems that gmail doesn’t use regular port to send/receive mail.
Try these port on the configuration.
Incoming mail (POP3 or IMAP) server: pop.gmail.com (port 995)
Outgoing e-mail server (SMTP) name: smtp.gmail.com (port 465)
Reference:
http://mail.google.com/support/bin/answer.py?answer=86383
May 26th, 2009 at 12:23 am
hi linglom its not only in gmail the ones ive tried are vodamail and gmail. vodamail with pop3 and gmail with imap
everytime it denies the traffic as unidentified traffic coming back from pop3 or imap server the port that it comes back on differs everytime .on the isa server itself it works fine
May 31st, 2009 at 10:41 am
Have you try to my suggestion on the comment above with gmail? Does it work?
July 21st, 2009 at 1:30 pm
I must appriciate your dedication in educating others!
Great!
September 30th, 2009 at 7:42 am
I have my ISA 2006 Firewall up and running, and almost all my programs I’ve managed to get ports open for. I however am confused about getting some TCP ports open for a p2p sharing program we use. Could someone here define the differences in UDP Send, Send/Receive, Receive, and Receive/Send. Also on the TCP settings, i’ve never had to desgnate incoming or outgoing, what specifies which is which and how do you know which is needed? Most of the info I have found is applied to SOHO routers, and setting up port forwarding, and on SOHO routers it just opens them up I assume both ways.
December 8th, 2009 at 4:25 pm
Dear Linglom,
Please could you give any idea me , i has a problem on ISA 2006 , I couldn’t access inbound and outbound permits for VPN access clients.
January 6th, 2010 at 10:10 am
Hi, Naw Aung
I’m not use vpn so I can’t support you in this case. I recommend you ask in isaserver.org. If you are new to vpn on ISA Server, you might want to read Creating a Site to Site VPN using ISA 2006 Firewalls at the Main and Branch Office to get some idea about vpn on ISA Server.
February 3rd, 2010 at 4:00 am
Can somebody tell me how to configure configuring tcp port in ISA server 2006?
Thanks
Anupam
February 24th, 2010 at 1:23 pm
Hey All
I configured ISA, now i can ping to any site from clients but i cant access any website. but getting in ISA server
Thanks
Sky
February 26th, 2010 at 9:29 am
Hi, Anupam
On step 4, you can customize TCP port by double-click on an available protocol. You can also create a new one by click New and select appropriate protocol’s group for it.
Hi, Sky
Check ISA Logging to see if there is any deny traffic from the client or not. Also, check access rule on ISA Server to see if it allows HTTP traffic or not.